Date: Wed, 17 May 2000 16:17:13 -0400 (EDT) From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: security@FreeBSD.ORG, Robert Watson <rwatson@FreeBSD.ORG>, Darren Reed <darrenr@reed.wattle.id.au>, Peter Wemm <peter@netplex.com.au> Subject: Re: HEADS UP: New host key for freefall! Message-ID: <200005172017.QAA26098@khavrinen.lcs.mit.edu> In-Reply-To: <Pine.BSF.4.21.0005171255500.80144-100000@freefall.freebsd.org> References: <3922D9A3.9EEC6033@softweyr.com> <Pine.BSF.4.21.0005171255500.80144-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Wed, 17 May 2000 13:09:32 -0700 (PDT), Kris Kennaway <kris@FreeBSD.ORG> said: > The point of a PKI is that you can have a *single* trusted root > certificate with all others signed by that one in a hierarchy. In order to > root the tree in something which (e.g.) Netscape browsers will > automatically understand, we'd need to have at least one key signed by a > commercial CA (Verisign, Thawte, ..) ...who are generally unwilling to sign CA certificates, and when they are, charge very large sums of money to do so. This is why most organizations which use X.509 for internal authentication purposes run their own CAs and deploy customized Web-browser installations which come with the appropriate CA certs preinstalled. (My employer, which owns tens of thousands of computers and has almost as many employees, does this. People who install the ``latest and greatest'' browser from wherever don't get support.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005172017.QAA26098>